providers.*ECSRAMRoleCredentialsProvider.getRoleName - Code Metrics - Inspection of "refine the ecs ram role credentials provider" - aliyun/credentials-go - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( e68691...412f4e )

by Jackson

created 2024-08-20 07:58 UTC

leName B

↳ Parent: credentials/internal/providers/ecs_ram_role.go

Complexity

Conditions

Size

Total Lines	38
Code Lines	25

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	7
eloc	25
nop	0
dl	0
loc	38
rs	7.8799
c	0
b	0
f	0

package providers

import (
	"encoding/json"
	"errors"
	"fmt"
	"io/ioutil"
	"net/http"
	"os"
	"strconv"
	"strings"
	"time"

	"github.com/aliyun/credentials-go/credentials/internal/utils"
	"github.com/aliyun/credentials-go/credentials/request"
)

const securityCredURL = "http://100.100.100.200/latest/meta-data/ram/security-credentials/"
const apiTokenURL = "http://100.100.100.200/latest/api/token"

type ECSRAMRoleCredentialsProvider struct {
	roleName                     string
	metadataTokenDurationSeconds int
	enableIMDSv2                 bool
	runtime                      *utils.Runtime
	// for sts
	session             *sessionCredentials
	expirationTimestamp int64
}

type ECSRAMRoleCredentialsProviderBuilder struct {
	provider *ECSRAMRoleCredentialsProvider
}

func NewECSRAMRoleCredentialsProviderBuilder() *ECSRAMRoleCredentialsProviderBuilder {
	return &ECSRAMRoleCredentialsProviderBuilder{
		provider: &ECSRAMRoleCredentialsProvider{
			// TBD: 默认启用 IMDS v2
			// enableIMDSv2: os.Getenv("ALIBABA_CLOUD_IMDSV2_DISABLED") != "true", // 默认启用 v2
		},
	}
}

func (builder *ECSRAMRoleCredentialsProviderBuilder) WithMetadataTokenDurationSeconds(metadataTokenDurationSeconds int) *ECSRAMRoleCredentialsProviderBuilder {
	builder.provider.metadataTokenDurationSeconds = metadataTokenDurationSeconds
	return builder
}

func (builder *ECSRAMRoleCredentialsProviderBuilder) WithRoleName(roleName string) *ECSRAMRoleCredentialsProviderBuilder {
	builder.provider.roleName = roleName
	return builder
}

func (builder *ECSRAMRoleCredentialsProviderBuilder) WithEnableIMDSv2(enableIMDSv2 bool) *ECSRAMRoleCredentialsProviderBuilder {
	builder.provider.enableIMDSv2 = enableIMDSv2
	return builder
}

const defaultMetadataTokenDuration = 21600 // 6 hours

func (builder *ECSRAMRoleCredentialsProviderBuilder) Build() (provider *ECSRAMRoleCredentialsProvider, err error) {
	// 设置 roleName 默认值
	if builder.provider.roleName == "" {
		builder.provider.roleName = os.Getenv("ALIBABA_CLOUD_ECS_METADATA")
	}

	if builder.provider.metadataTokenDurationSeconds == 0 {
		builder.provider.metadataTokenDurationSeconds = defaultMetadataTokenDuration
	}

	if builder.provider.metadataTokenDurationSeconds < 1 || builder.provider.metadataTokenDurationSeconds > 21600 {
		err = errors.New("the metadata token duration seconds must be 1-21600")
		return
	}

	builder.provider.runtime = &utils.Runtime{
		ConnectTimeout: 5,
		ReadTimeout:    5,
	}

	provider = builder.provider
	return
}

type ecsRAMRoleResponse struct {
	Code            *string `json:"Code"`
	AccessKeyId     *string `json:"AccessKeyId"`
	AccessKeySecret *string `json:"AccessKeySecret"`
	SecurityToken   *string `json:"SecurityToken"`
	LastUpdated     *string `json:"LastUpdated"`
	Expiration      *string `json:"Expiration"`
}

func (provider *ECSRAMRoleCredentialsProvider) needUpdateCredential() bool {
	if provider.expirationTimestamp == 0 {
		return true
	}

	return provider.expirationTimestamp-time.Now().Unix() <= 180
}

func (provider *ECSRAMRoleCredentialsProvider) getRoleName() (roleName string, err error) {
	httpRequest, err := hookNewRequest(http.NewRequest)("GET", securityCredURL, strings.NewReader(""))
	if err != nil {
		err = fmt.Errorf("get role name failed: %s", err.Error())
		return
	}

	if provider.enableIMDSv2 {
		metadataToken, err := provider.getMetadataToken()
		if err != nil {
			return "", err
		}
		httpRequest.Header.Set("x-aliyun-ecs-metadata-token", metadataToken)
	}

	httpClient := &http.Client{
		Timeout: 5 * time.Second,
	}
	httpResponse, err := hookDo(httpClient.Do)(httpRequest)
	if err != nil {
		err = fmt.Errorf("get role name failed: %s", err.Error())
		return
	}

	if httpResponse.StatusCode != http.StatusOK {
		err = fmt.Errorf("get role name failed: request %s %d", securityCredURL, httpResponse.StatusCode)
		return
	}

	defer httpResponse.Body.Close()

	responseBody, err := ioutil.ReadAll(httpResponse.Body)
	if err != nil {
		return
	}

	roleName = strings.TrimSpace(string(responseBody))
	return
}

func (provider *ECSRAMRoleCredentialsProvider) getCredentials() (session *sessionCredentials, err error) {
	roleName := provider.roleName
	if roleName == "" {
		roleName, err = provider.getRoleName()
		if err != nil {
			return
		}
	}

	requestUrl := securityCredURL + roleName
	httpRequest, err := hookNewRequest(http.NewRequest)("GET", requestUrl, strings.NewReader(""))
	if err != nil {
		err = fmt.Errorf("refresh Ecs sts token err: %s", err.Error())
		return
	}

	if provider.enableIMDSv2 {
		metadataToken, err := provider.getMetadataToken()
		if err != nil {
			return nil, err
		}
		httpRequest.Header.Set("x-aliyun-ecs-metadata-token", metadataToken)
	}

	httpClient := &http.Client{
		Timeout: 5 * time.Second,
	}
	httpResponse, err := hookDo(httpClient.Do)(httpRequest)
	if err != nil {
		err = fmt.Errorf("refresh Ecs sts token err: %s", err.Error())
		return
	}

	defer httpResponse.Body.Close()

	responseBody, err := ioutil.ReadAll(httpResponse.Body)
	if err != nil {
		return
	}

	if httpResponse.StatusCode != http.StatusOK {
		err = fmt.Errorf("refresh Ecs sts token err, httpStatus: %d, message = %s", httpResponse.StatusCode, string(responseBody))
		return
	}

	var data ecsRAMRoleResponse
	err = json.Unmarshal(responseBody, &data)
	if err != nil {
		err = fmt.Errorf("refresh Ecs sts token err, json.Unmarshal fail: %s", err.Error())
		return
	}

	if data.AccessKeyId == nil || data.AccessKeySecret == nil || data.SecurityToken == nil {
		err = fmt.Errorf("refresh Ecs sts token err, fail to get credentials")
		return
	}

	if *data.Code != "Success" {
		err = fmt.Errorf("refresh Ecs sts token err, Code is not Success")
		return
	}

	session = &sessionCredentials{
		AccessKeyId:     *data.AccessKeyId,
		AccessKeySecret: *data.AccessKeySecret,
		SecurityToken:   *data.SecurityToken,
		Expiration:      *data.Expiration,
	}
	return
}

func (provider *ECSRAMRoleCredentialsProvider) GetCredentials() (cc *Credentials, err error) {
	if provider.session == nil || provider.needUpdateCredential() {
		session, err1 := provider.getCredentials()
		if err1 != nil {
			return nil, err1
		}

		provider.session = session
		expirationTime, err2 := time.Parse("2006-01-02T15:04:05Z", session.Expiration)
		if err2 != nil {
			return nil, err2
		}
		provider.expirationTimestamp = expirationTime.Unix()
	}

	cc = &Credentials{
		AccessKeyId:     provider.session.AccessKeyId,
		AccessKeySecret: provider.session.AccessKeySecret,
		SecurityToken:   provider.session.SecurityToken,
		ProviderName:    provider.GetProviderName(),
	}
	return
}

func (provider *ECSRAMRoleCredentialsProvider) GetProviderName() string {
	return "ecs_ram_role"
}

func (provider *ECSRAMRoleCredentialsProvider) getMetadataToken() (metadataToken string, err error) {
	request := request.NewCommonRequest()
	request.URL = apiTokenURL
	request.Method = "PUT"
	request.Headers["X-aliyun-ecs-metadata-token-ttl-seconds"] = strconv.Itoa(provider.metadataTokenDurationSeconds)
	content, err := doAction(request, provider.runtime)
	if err != nil {
		err = fmt.Errorf("get metadata token failed: %s", err.Error())
		return
	}
	metadataToken = string(content)
	return
}


1			package providers
2
3			import (
4			"encoding/json"
5			"errors"
6			"fmt"
7			"io/ioutil"
8			"net/http"
9			"os"
10			"strconv"
11			"strings"
12			"time"
13
14			"github.com/aliyun/credentials-go/credentials/internal/utils"
15			"github.com/aliyun/credentials-go/credentials/request"
16			)
17
18			const securityCredURL = "http://100.100.100.200/latest/meta-data/ram/security-credentials/"
19			const apiTokenURL = "http://100.100.100.200/latest/api/token"
20
21			type ECSRAMRoleCredentialsProvider struct {
22			roleName string
23			metadataTokenDurationSeconds int
24			enableIMDSv2 bool
25			runtime *utils.Runtime
26			// for sts
27			session *sessionCredentials
28			expirationTimestamp int64
29			}
30
31			type ECSRAMRoleCredentialsProviderBuilder struct {
32			provider *ECSRAMRoleCredentialsProvider
33			}
34
35			func NewECSRAMRoleCredentialsProviderBuilder() *ECSRAMRoleCredentialsProviderBuilder {
36			return &ECSRAMRoleCredentialsProviderBuilder{
37			provider: &ECSRAMRoleCredentialsProvider{
38			// TBD: 默认启用 IMDS v2
39			// enableIMDSv2: os.Getenv("ALIBABA_CLOUD_IMDSV2_DISABLED") != "true", // 默认启用 v2
40			},
41			}
42			}
43
44			func (builder ECSRAMRoleCredentialsProviderBuilder) WithMetadataTokenDurationSeconds(metadataTokenDurationSeconds int) ECSRAMRoleCredentialsProviderBuilder {
45			builder.provider.metadataTokenDurationSeconds = metadataTokenDurationSeconds
46			return builder
47			}
48
49			func (builder ECSRAMRoleCredentialsProviderBuilder) WithRoleName(roleName string) ECSRAMRoleCredentialsProviderBuilder {
50			builder.provider.roleName = roleName
51			return builder
52			}
53
54			func (builder ECSRAMRoleCredentialsProviderBuilder) WithEnableIMDSv2(enableIMDSv2 bool) ECSRAMRoleCredentialsProviderBuilder {
55			builder.provider.enableIMDSv2 = enableIMDSv2
56			return builder
57			}
58
59			const defaultMetadataTokenDuration = 21600 // 6 hours
60
61			func (builder ECSRAMRoleCredentialsProviderBuilder) Build() (provider ECSRAMRoleCredentialsProvider, err error) {
62			// 设置 roleName 默认值
63			if builder.provider.roleName == "" {
64			builder.provider.roleName = os.Getenv("ALIBABA_CLOUD_ECS_METADATA")
65			}
66
67			if builder.provider.metadataTokenDurationSeconds == 0 {
68			builder.provider.metadataTokenDurationSeconds = defaultMetadataTokenDuration
69			}
70
71			if builder.provider.metadataTokenDurationSeconds < 1 \|\| builder.provider.metadataTokenDurationSeconds > 21600 {
72			err = errors.New("the metadata token duration seconds must be 1-21600")
73			return
74			}
75
76			builder.provider.runtime = &utils.Runtime{
77			ConnectTimeout: 5,
78			ReadTimeout: 5,
79			}
80
81			provider = builder.provider
82			return
83			}
84
85			type ecsRAMRoleResponse struct {
86			Code *string `json:"Code"`
87			AccessKeyId *string `json:"AccessKeyId"`
88			AccessKeySecret *string `json:"AccessKeySecret"`
89			SecurityToken *string `json:"SecurityToken"`
90			LastUpdated *string `json:"LastUpdated"`
91			Expiration *string `json:"Expiration"`
92			}
93
94			func (provider *ECSRAMRoleCredentialsProvider) needUpdateCredential() bool {
95			if provider.expirationTimestamp == 0 {
96			return true
97			}
98
99			return provider.expirationTimestamp-time.Now().Unix() <= 180
100			}
101
102			func (provider *ECSRAMRoleCredentialsProvider) getRoleName() (roleName string, err error) {
103			httpRequest, err := hookNewRequest(http.NewRequest)("GET", securityCredURL, strings.NewReader(""))
104			if err != nil {
105			err = fmt.Errorf("get role name failed: %s", err.Error())
106			return
107			}
108
109			if provider.enableIMDSv2 {
110			metadataToken, err := provider.getMetadataToken()
111			if err != nil {
112			return "", err
113			}
114			httpRequest.Header.Set("x-aliyun-ecs-metadata-token", metadataToken)
115			}
116
117			httpClient := &http.Client{
118			Timeout: 5 * time.Second,
119			}
120			httpResponse, err := hookDo(httpClient.Do)(httpRequest)
121			if err != nil {
122			err = fmt.Errorf("get role name failed: %s", err.Error())
123			return
124			}
125
126			if httpResponse.StatusCode != http.StatusOK {
127			err = fmt.Errorf("get role name failed: request %s %d", securityCredURL, httpResponse.StatusCode)
128			return
129			}
130
131			defer httpResponse.Body.Close()
132
133			responseBody, err := ioutil.ReadAll(httpResponse.Body)
134			if err != nil {
135			return
136			}
137
138			roleName = strings.TrimSpace(string(responseBody))
139			return
140			}
141
142			func (provider ECSRAMRoleCredentialsProvider) getCredentials() (session sessionCredentials, err error) {
143			roleName := provider.roleName
144			if roleName == "" {
145			roleName, err = provider.getRoleName()
146			if err != nil {
147			return
148			}
149			}
150
151			requestUrl := securityCredURL + roleName
152			httpRequest, err := hookNewRequest(http.NewRequest)("GET", requestUrl, strings.NewReader(""))
153			if err != nil {
154			err = fmt.Errorf("refresh Ecs sts token err: %s", err.Error())
155			return
156			}
157
158			if provider.enableIMDSv2 {
159			metadataToken, err := provider.getMetadataToken()
160			if err != nil {
161			return nil, err
162			}
163			httpRequest.Header.Set("x-aliyun-ecs-metadata-token", metadataToken)
164			}
165
166			httpClient := &http.Client{
167			Timeout: 5 * time.Second,
168			}
169			httpResponse, err := hookDo(httpClient.Do)(httpRequest)
170			if err != nil {
171			err = fmt.Errorf("refresh Ecs sts token err: %s", err.Error())
172			return
173			}
174
175			defer httpResponse.Body.Close()
176
177			responseBody, err := ioutil.ReadAll(httpResponse.Body)
178			if err != nil {
179			return
180			}
181
182			if httpResponse.StatusCode != http.StatusOK {
183			err = fmt.Errorf("refresh Ecs sts token err, httpStatus: %d, message = %s", httpResponse.StatusCode, string(responseBody))
184			return
185			}
186
187			var data ecsRAMRoleResponse
188			err = json.Unmarshal(responseBody, &data)
189			if err != nil {
190			err = fmt.Errorf("refresh Ecs sts token err, json.Unmarshal fail: %s", err.Error())
191			return
192			}
193
194			if data.AccessKeyId == nil \|\| data.AccessKeySecret == nil \|\| data.SecurityToken == nil {
195			err = fmt.Errorf("refresh Ecs sts token err, fail to get credentials")
196			return
197			}
198
199			if *data.Code != "Success" {
200			err = fmt.Errorf("refresh Ecs sts token err, Code is not Success")
201			return
202			}
203
204			session = &sessionCredentials{
205			AccessKeyId: *data.AccessKeyId,
206			AccessKeySecret: *data.AccessKeySecret,
207			SecurityToken: *data.SecurityToken,
208			Expiration: *data.Expiration,
209			}
210			return
211			}
212
213			func (provider ECSRAMRoleCredentialsProvider) GetCredentials() (cc Credentials, err error) {
214			if provider.session == nil \|\| provider.needUpdateCredential() {
215			session, err1 := provider.getCredentials()
216			if err1 != nil {
217			return nil, err1
218			}
219
220			provider.session = session
221			expirationTime, err2 := time.Parse("2006-01-02T15:04:05Z", session.Expiration)
222			if err2 != nil {
223			return nil, err2
224			}
225			provider.expirationTimestamp = expirationTime.Unix()
226			}
227
228			cc = &Credentials{
229			AccessKeyId: provider.session.AccessKeyId,
230			AccessKeySecret: provider.session.AccessKeySecret,
231			SecurityToken: provider.session.SecurityToken,
232			ProviderName: provider.GetProviderName(),
233			}
234			return
235			}
236
237			func (provider *ECSRAMRoleCredentialsProvider) GetProviderName() string {
238			return "ecs_ram_role"
239			}
240
241			func (provider *ECSRAMRoleCredentialsProvider) getMetadataToken() (metadataToken string, err error) {
242			request := request.NewCommonRequest()
243			request.URL = apiTokenURL
244			request.Method = "PUT"
245			request.Headers["X-aliyun-ecs-metadata-token-ttl-seconds"] = strconv.Itoa(provider.metadataTokenDurationSeconds)
246			content, err := doAction(request, provider.runtime)
247			if err != nil {
248			err = fmt.Errorf("get metadata token failed: %s", err.Error())
249			return
250			}
251			metadataToken = string(content)
252			return
253			}
254

aliyun / credentials-go

GitHub Access Token became invalid

Push — master ( e68691...412f4e )

leName B

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like